Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science

SANS Malware Quiz 4

advertisement 
SANS Malware Quiz 4
By : Antony Thompson
Due to my inability to set up a secure environment in which to analyse the behaviour
of this code a predominantly passive analysis was undertaken. I am sure that other
people’s answers to the quiz will provide a better live analysis than I can.
The first Step
The .scr file was unzipped and its MD5 calculated. Yes they match
Alleged MD5 value : 58d07b9eec151ae840f28c9129b4d6a0
Hksfv MD5 value : 58d07b9eec151ae840f28c9129b4d6a0
Step 2
Hmm funny icon for a .scr ( screensaver ) file. Looks more like the kind of icons you
see on installer / setup programs.
Step 3
Ok, time to see what strings this screensaver has inside it. Using the strings.exe from
sysinternals.
Some interesting info here.
MZP
This program must be run under Win32
.aspack
VS_VERSION_INFO
StringFileInfo
041604E4
CompanyName
Microsoft Corporation
FileDescription
FileVersion
1.0.1.1
InternalName
SVCHOST
LegalCopyright
Microsoft Corporation. Todos os direitos reservados.
LegalTrademarks
OriginalFilename
SVCHOST.EXE
ProductName
Sistema operacional Microsoft
Windows
ProductVersion
1.0.0.0
From the .aspack string it appears to be packed with Aspack. If we look at the
properties of the .scr in Explorer we see the same Company name, Internal Name etc
information listed above. So it purports to be a Microsoft file originally called
svchost.exe packed with Aspack. Hmm…
Question 1 – Is it packed.
Well the string .aspack suggests it is. Time to double check with PeID.
Yes. Looks like it really is packed with Aspack 2.12.
Question 2 - Without running the file, what do you think that this malware can
and will do?
Well, before we can analyse this any further we need to try and remove Aspack. The
first thing to do is to see if the Aspack program itself can remove its own protection.
Downloading it from www.aspack.com and running it against the .scr file says it’s
already packed. No apparent option to unpack it. Quick check of the built in FAQ
says the following
Can I decompress an ASPack'ed file?
No. One of the reasons for using ASPack is to protect applications against
patches and decompilation, and the decompressor by design creates obstacles
for hackers.
Time to find another method. Do you remember back in Quiz 1 where files three and
four were packed with PECompact but had references to aspackdie! In them as well ?
Well this is a tool to remove Aspack protection. Lucky hey ;-)
- Public Serverice Broadcast 1.
There is another tool PMAK ( Pmode Aspack
Killer ) which also removes ASPack 2.12.
As this was the first time that I had used aspackdie I decided to set up a virtual
machine in which to test out this malware, and aspackdie.
Vmware was used with XP Pro as the guest operating system. Among the tools
installed were MS-Antispyware., Hijackthis, Regshot, Winalysis, Process Exporer,
Registry Monitor, File Monitor, Ethereal, Widsom ScreenHunter, PSPad and of couse
Aspackdie.
A quick comparison of the Guest system before and after running Aspackdie
suggested that no unexpected changes had been made during the unpack process.
As noted by a contributor to Malware Quiz 3 some malware checks to see if it is
being run in a virtual environment. Redpill.exe and Scoobysnack are two programs
that demonstrate how this can be achieved.
Ok we now have a file called unpack.exe. Looking at the strings it contains produces
some very interesting information.
Firstly there is a reference to Delphi
Software\Borland\Delphi\Locales
This program was probably written in this language. We will come back to this
later….
Next there appears to be lots of references to socket information.
accept
bind
closesocket
connect
ioctlsocket
getpeername
getsockname
getsockopt
htonl
htons
inet_addr
inet_ntoa
So it would appear that it can transmit / receive information on the network, which of
course includes the internet.
Next there are some references to e-mail , newsgroup and MIME related strings as
well
Content-Transfer-Encoding
Content-Type
Content-Transfer-Encoding
Content-Type
This is a multi-part message in MIME format
=_NextPart_2relrfksadvnqindyw3nerasdf
=_NextPart_2rfkindysadvnqw3nerasdf
Content-Type: multipart/alternative;
From
Subject
Newsgroups
Content-Type
1.0
MIME-Version
Content-Transfer-Encoding
Sender
Reply-To
Organization
Disposition-Notification-To
boundary="=_NextPart_2altrfkindysadvnqw3neras
df"
--=_NextPart_2altrfkindysadvnqw3nerasdf
--=_NextPart_2altrfkindysadvnqw3nerasdf-Content-Type: text/plain
Content-Transfer-Encoding: 7bit
base64
attachment
application/octet-stream
Content-Type:
name="
References
Date
X-Priority
Indy 9.00.10
X-Library
Content-Transfer-Encoding:
Content-Disposition:
filename="
--=_NextPart_2rfkindysadvnqw3nerasdf
--=_NextPart_2rfkindysadvnqw3nerasdf—
Content-Type
Content-Transfer-Encoding
Content-Disposition
Subject
From
Message-Id
Newsgroups
Organization
Disposition-Notification-To
Return-Receipt-To
References
Reply-To
Date
Sender
Priority
X-Priority
So it would appear that this program can also send e-mail as well.
Next Lots of references to in Portuguese to Banks and Bank Details
Banco Do Brasil Logando
...... Aguarde.. - Microsoft
Internet Explorer
Banco Ita
Bradesco
ncia em branco!
Conta em branco!
Banco do Brasil
Informe o numero da
agencia.
Informe o numero da conta.
Informe sua senha de 4
digitos.
IExplore
www14.bancobrasil.com.br
GRIPNET/gracgi.exe
bbr
bradesco.com.br/scrip
bradesco
Internet Banking CAIXA
caixa
Gerenciador Financeiro
Mantenha sua senha em
sigilo
Resposta secreta sem branco
Bradesco
Erro
Senha de 4 d
gitos em branco!
5 Digitos em branco!
Senha do cart
o inv
lida!!
Senha de 4 d
gitos inv
lida!!
mero do Portador incorreto!
Erro
Preencha corretamente o
campo 'Ag
ncia'!
Preencha corretamente o
campo 'Conta'!
Preencha corretamente o
campo 'Senha'!
Erro
Preencha corretamente o
campo 'Senha'!
Erro
ncia em branco!
Conta em branco!
Senha em branco!
Senha do 'Auto-Atendimento'
inv
lida!!
Senha do 'Cart
o' inv
lida!!
Selecione o 'titular' da conta.
Informe seu CPF, assim
garantindo maior seguran
UhInforme o numero da conta.
Informe sua resposta secreta.
Informe a senha do cart
Erro!
ncia em branco
Conta em branco
gito em branco
Senha 'Atendimento' Inv
lido
Senha do 'cart
o' inv
lida
CPF em branco
Erro
ncia em branco!
Conta em branco!
Senha da Internet em
Branco!!
Senha do 'Cart
o' em Branco!!
Senha da Internet Inv
lida!!
Erro
Assinatura Eletr
nica em branco!
Assinatura Eletr
nica Inv
lido!
Caixa Econ
Preencha corretamente o
campo 'Chave de acesso'!
Preencha corretamente o
campo 'Senha de acesso'!
Preencha corretamente o
campo 'Ag
ncia'!
Preencha corretamente o
campo 'Conta Corrente'!
Senha de 8 digitos invalida!
Gerenciador Financeiro
There are also references to Internet Explorer and Iexplore. Either this program
watches for these strings or it displays them for some reason.
Internet Explorer
Ocorreu um erro no Internet Explorer, abra novamente uma janela de Browser.
Novo sistema de login em fase inicial - Microsoft Internet Explorer
bbr
bradesco
The most interesting string however is ‘Shell DocObject View’. This is a method by
which Internet Explorer can be controlled by another program. Getting more worrying
this isn’t it ;-)
See the link below for an example
http://www.codeguru.com/Cpp/misc/misc/internetexplorer/article.php/c8163/
Ok, now onto what changes the program may make to the host system when run.
Well the strings below suggests that it will create a start-up entry called svchosts that
points to a file called svchosts.exe ( very similar to the legitimate svchost.exe file )
Svchosts
\Software\Microsoft\Windows\CurrentVersion\Run
\svchosts.exe
The also appear to be references to two files, one being svchosts.exe and the other a
text file ( for logging captured information possibly )
\svchosts.exe
\mswndkl.txt
As well as this there are some references to Adobe Photoshop. Used by Delphi or by
embedded pictures?
Ok. Back to that reference to Delphi . The resultant unpacked.exe was examined with
PEID.
This proved that it was indeed created with Delphi. This we can work with !
The file header MZP is often seen in Delphi Executables. The MZ is the DOS
stub. The MZP suggests all Delphi executables use the same real mode DOS stub for
their windows executables.
Ok, there is a tool called DFM Editor that lets us look at the forms that are contained
within a Delphi executable file. This may provide some interesting viewing.
Well this looks very scary. Looks like some fake screens to capture bank account
details. Unfortunately it looks like DFM Editor cant display the picture data that is
referenced in the form. Pity really. A search of the web doesn’t give any clues on how
to display these pictures. But I do find something else….
DeDe is a tool to decompile Delphi Executables, well almost. It extracts the Forms
and Units but not the Delphi source code. Instead it displays the assembler code.
Interestingly DeDe extracts the exe file to a project called Teclados, which is
Portuguese for Keyboard. Most of these web sites use virtual keyboards.
This should be enough to grab the forms and the load them into a trial copy of Delphi
( 450mb download, hope its worth the effort )
Delphi Screens
Main Form with Timer ( for checking IE at intervals ? ), SMTP and Mime Controls.
This form is a Hidden Form.
Bingo! These look amazingly similar to the real web pages e.g www.bradesco.com.br
below. The forms contain text entry boxes to capture input, unfortunately although
there are references to mswnkdl.txt it is in the assembler code.
So what do I expect this malware to do. Well when run I expect it to create a file
called svchosts.exe and put an entry in the registry so it is started each time the
machine starts. I then guess it will watch for access to the URLs, Banks mentioned
above and then throw up the fake login screens, possibly suggesting they are a new
login system. This details entered may be logged to the mswnkdl.txt file and this then
e-mailed out from the compromised system via its own smtp engine.
3) Now, using any methods available to you, which changes, if any, will this
malware do in the system, among new files and registry entries...?
Again in the virtual machine I used Winalysis to perform a full MD5 fingerprint of
the system and a log of both HKLM and HKCU registry information. I then ran the
.scr file with Process Explorer, Registry Monitor and File Monitor capturing what was
happening. I then ran Winalysis again to see what had changed.
Here are the screenshots of what happened.
Winalysis Comparison Results
A new file called svchosts.exe was created in c:\windows
A new registry Key to loads svchosts.exe at start-up was created
Live Capture Data
Here is the .scr file creating c:\windows\svchosts.exe ( from file monitor )
Here is the .scr creating the registry entry ( Registry Monitor )
Creating a MD5 value for the new svchosts.exe file tells me that it is an identical copy
of the .scr program.
So running the ‘screen saver’ appears to only modify the system by creating the
svchosts.exe and the associated registry entry.
4. Now, what is the purpose of this malware?
The purpose of this malware would appear to be to capture and record confidential
bank details / passwords for several Brazilian Banks. It would do this by monitoring
web sites in IE and displaying fake login screens. It would then appear to e-mail them
via SMTP.
5. When will this malware be triggered?
When the banks mentioned above are visited? I unfortunately couldn’t set up a virtual
machine that has access to a DNS server to prove this. When the malware is run it
throws up the following error.
Which shows it is trying to access the network. The error code translates to
Valid name, no data record of requested type. The requested name is valid and was found in the
database, but it does not have the correct associated data being resolved for. The usual example for
this is a hostname -> address translation attempt (using gethostbyname or
WSAAsyncGetHostByName) which uses the DNS (Domain Name Server), and an MX record is
returned but no A record - indicating the host itself exists, but is not directly reachable.
This doesn’t happen on a machine with the DNS configured correctly.
6. Could you show any example of this malware behavior?
Not really ( See above ). I did not want to run this code on a production machine
connected directly to the internet.
I did set up a web proxy on the virtual machine which allowed me to browse the
Brazilian Bank websites but was not able to trigger the display of the fake screens or
the creation of the mswnkdl.txt file. I used Ethereal to monitor the network traffic but
only noticed the HTTP traffic.
I also ran the malware on a test machine directly configured to the network but
protected by a firewall. This trapped the malware from sending out an e-mail.
Using SamSpade to perform a Whois shows it is trying to connect to
smtp.terra.com.br. I didn’t want to allow this on this system so could not use
Ethereal to prove what was sent out.
I did modify my Hosts file to redirect smtp.terra.com.br to my machine but ran out of
time before I could configure a mail server to try and capture the message. A java
program called ‘MailSwerver’ that runs on windows and logs the e-mail sent to it
looked promising. Unfortunately the hosting site is no longer available and I couldn’t
find a copy. Would have been interesting to see what it could do.
Oh, and just to make further live analysis impossible my cheap Safecom switch
connecting my machines to the router has failed, and almost caught fire. Does keep
my hands warm though. Not my week really as my car window was smashed last
night as well. Must buy a lottery ticket ;-)
7. How do you think that this malware arrived in his computer? If the malware
does not provide this information, what is your guess?
I can’t give a definitive answer on this one. The ‘screensaver’ could have been sent
as part of a social engineering e-mail ( most common attack vector ) or downloaded
from a website. As it doesn’t even attempt to disguise its operation by installing a real
screensaver it wouldn’t last long on any reputable web site before being pulled. Email is my best guess, although a ‘drive by download’ is also an option.
8. Do you think that this malware had anything to do with Joe´s case?
Does Joe use any of the Brazilian banks mentioned in the code of the Malware? If he
does then this is very likely the cause of his missing funds. As the Malware fakes
password screens ( to capture input ) and can be seen to try and e-mail
smtp.terra.com.br it is very likely that his login information could be sent out via this
software.
Useful Info
Jotti scan of unpacked file.
VirusTotal scan of unpacked file.
Useful Tools & Links
Hksfv ( MD5 checker )
http://www.big-o-software.com/products/hksfv/
Peid
http://peid.has.it/
Process Explorer, Registry
Monitor, File Monitor,
Strings
http://www.sysinternals.com
Pspad
http://www.pspad.com/
MS Antispyware ( Beta )
http://www.microsoft.com/athome/security/spyware/software
/default.mspx
HijackThis
http://www.spywareinfo.com/~merijn/downloads.html
ScreenHunter
http://www.wisdom-soft.com/products/screenhunter.htm
AspackDie 1.41
http://y0da.cjb.net/
DeDe
www.softpedia.com
Pmak
http://www.pmode.net/
ZoneAlarm
www.zonelabs.com
Winalysis
www.winalysis.com
RegShot
http://the7thlab.mybesthost.com/
DFM editor - 5.3
http://www.mitec.cz
Delphi
http://www.borland.com/downloads/download_delphi.html
VirsuTotal
http://www.virustotal.com/flash/index_en.html
Jotti Malware Scan
http://virusscan.jotti.org/
SamSpade Online tools
http://www.samspade.org/t/
Portuguese translations
http://babelfish.altavista.com/tr
Related documents
Virtual Worlds - Cyberspace Law and Policy Centre
Virtual Worlds - Cyberspace Law and Policy Centre
ppt - Thefengs.com
ppt - Thefengs.com
sample_cato_cust_ed
sample_cato_cust_ed
Download
advertisement